The US Government has issued a mandate to replace traditional lighting with energy efficient alternatives, such as light emitting diode (LED) lighting. See Pub. L. 110-140, EISA 2007 section 321, originally named the Clean Energy Act of 2007. However, solutions to meet this mandate have created new security exposures for agencies, organizations and consumers. These exposures are new, without compensating countermeasures. Some energy sources, such as an LED lightbulb, can be compromised, or “bugged,” to carry information in a surreptitious manner. A compromised energy source will exhibit characteristics that are different from normal or unmodified sources. These characteristics are usually not detectable by a human's naked eye.
Visible light communication refers to short range optical wireless communication using the visible light spectrum from 380 to 780 nm. One example of visible light communication is varying the intensity of one or more light emitting diodes according to a modulation scheme. Another example is color-shift keying (CSK), which is a visible light communication technique enabled by recent advances in light emitting diode (LED) technology, and uses an intensity modulation scheme for two or more colors of LEDs. One type of CSK scheme is outlined in IEEE 802.15.7, in which data is transmitted through the variation of colors and/or intensity emitted by red, green, and blue LEDs. CSK communication is imperceptible to the human eye. IEEE 802.15.7 supports high-data-rate visible light communication up to 96 Mb/s by fast modulation of optical light sources which may be dimmed during their operation, and provides dimming adaptable mechanisms for flicker-free high-data-rate visible light communication.
In accordance with NIST Special Publication 800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations, agencies are required to proactively search for: Information Leakage (section PE-19); Covert Channel Analysis (section SC-31); Out-of-band Channel (section SC-37); Insider Threat (section PM-12).
In short, SP800-53r4 is a guideline for organizations to perform due diligence and look for electronic exploitation or exfiltration of protected data or voice conversations. While this document establishes requirements only for United States Federal systems, there is a need for any agency, organization or consumer, in any part of the world, to establish protective measures against espionage and other forms of security breaches.